Security Programs
Infosec¶
| Link | Notes |
|---|---|
| Information Security Services functions | Each section within the Information Security Services function is compromised of numerous departments, each with their own functions to support the larger department |
| Early Security for Startups | What should a startup without a security team do for security? |
Product / DevOps¶
| Link | Notes |
|---|---|
| Netflix The Paved Road at Netflix | |
| Netflix Netflix Culture Meets Product Security |
|
| Netflix Scaling Appsec at Netflix |
|
| Cruise Building a Container Platform at Cruise | Environments & Tenants, Infrastructure Boundaries, Platform Boundaries |
| Cruise Container Platform Security at Cruise | Identity, Authentication, Authorization, Secrets, Encryption |
| Cruise Container Platform Networking at Cruise | GCP Hybrid Connectivity Options |
| Security maturity levels of Product Security Teams | Grouping dev teams into 4 security maturity levels |
| Cloudflare Startup Security: Starting a Security Program at a Startup |
|
| Compliance in a DevOps Culture | Integrating the necessary Security Controls and Audit capabilities to satisfy Compliance requirements within a DevOps culture can capitalize on CI/CD pipeline automation, but presents unique challenges as an organization scales |
AppSec Specific¶
| Link | Notes |
|---|---|
| An opinionated guide to scaling your company's security | Clint's talk summarising approaches from multiple companies |
| Uber The Path to Code Provenance | Strategy for ensuring we have a verifiable attestation of the origin of all code running in production |
| The Art of Vulnerability Management | How to create a positive vulnerability management culture and process that works for engineers and the security team |
| Beyond The Security Team | |
| Implement Security Champions Programme | Main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes |
| How we run our bug bounty program at Segment | |
| A Guide to Threat Modelling for Developers | Clear and simple steps to help teams that want to adopt threat modelling |
| Awesome Threat Modeling | |
| Appsec Development: Keeping it all together at scale |
|
| Creating Security Decision Trees With Graphviz | |
| Democratizing Security: Application Security Scanning | How to build an application and cloud security automation program |
| Building a SAST program at Razorpay’s scale | No single tool or technique can identify all security defects in an application. Part of building a mature Security program is to use a number of techniques to find security defects |
Teams¶
| Link | Notes |
|---|---|
| The Actual Cybersecurity Workforce Challenge | There is a cybersecurity skills crisis, but the answer is not to simply focus on creating more trained cybersecurity professionals |
Risk / Compliance¶
| Link | Notes |
|---|---|
| The SOC2 Starting Seven | 7 things you can do now that will simplify SOC2 for you down the road while making security posture materially better in the immediacy |
| SOC2: The Screenshots Will Continue Until Security Improves | A great post explaining what SOC2 is and how it works |
| Everything and Anything You Need To Know About SOC 2 | A high-level overview of SOC2 |
| Cybersecurity and the Board : A Fresh Perspective? | How to represent cybersecurity (or technology / information risks more generally) to the Board |
| Prioritizing Cloud Risk Requires Context to be Effective | Prioritizing risk mitigation based on CIS output alone misses something critical: organizational context |
| Open-Sourcing riskquant, a library for quantifying risk | |
| Experimenting with visualizations and code risk overview |